Keeping up: The Enterprise Strategy Group, a consulting firm, asked 308 IT professionals in large companies what factors motivated their decisions to improve data security. Regulatory compliance topped the list

Last month, Sony revealed the price tag associated with cleaning up the massive security breach that exposed personal information of more than 100 million users of its PlayStation Network and Qriocity streaming-media services: at least $171 million. It was the largest such breach any company had ever experienced, according to Sony’s chairman, Sir Howard Stringer, and the staggering sum will cover security improvements, customer compensation, and investigative services. But the full toll will be harder to measure, because it will include the loss of customer confidence in the company.

The episode was a reminder of the stakes involved in data security—and an indicator that many organizations are not protecting themselves well enough. “When it comes to all of these security problems, companies aren’t spending up front but have to spend a lot of money on the back end to fix things,” says Thomas Ristenpart, a computer security researcher at the University of Wisconsin, Madison.

This month, Business Impact focuses on securing data against theft and loss. We will explore the security tactics that companies ought to be using, the investments they ought to be making, and the questions they ought to be asking. We’ll examine smart practices for mobile devices, remote workers, and cloud computing, and we’ll get insights from top thinkers in the field.

Threats to the security of information are multiplying in part because the world’s storehouses of data are rapidly growing as the cost of storage plummets and the availability of computers and network access expands. As this mother lode of data grows, so does its attractiveness to criminals and hackers.

To protect themselves, businesses can impose access controls on confidential data, encrypt this data and appropriately manage encryption keys, audit user activities, and bring on consultants to make sure security practices are up to date. And since the weak link in the security chain is often people, one of the most important things businesses can do is simply to train employees on basic data security practices. This month’s package of stories will argue that information security isn’t just a matter for the IT department to worry about. It has to register throughout a company, starting at the highest levels, where decisions about capital investments are made.